How to secure Kryonet (SSLSocketChannel)

Question

I have a working game servers + clients system using Kryonet that I want to secure. I have read a lot of the source code for Kryo and Kryonet and also a bit about java.nio (SocketChannels and SSL). I have a good enough understanding in encryption working with Java but I am not sure if I got all the concepts right when it comes to Kryonet and SocketChannels using SSL.

You can Encrypt the objects you send in Kryonet with Blowfish but I can not see this being secure? What I mean is that all clients must use the same symmetric secret key since you do not encrypt the client connections separately but instead the serialization on the server and thus all client need the same secret and it wont be that secret anymore?

Then I looked at changing Kryonet source to use SSLSockets but I saw that Kryonet use non blocking IO and from what I have read using a SSLSocket instead of a Socket would not be good when working with SocketChannels? This is where I am really at a loss and not sure if it would be worth the effort so I was hoping someone with more insight in Kryonet and SocketChannels could help me out a little. It seems impossible to secure Kryonet but I really do not want to switch at this point in my project so any suggestion are very welcome!

Answer 1

You are correct, mere encryption isn't secure even if you solve the key distribution problem unless Kryonet also does all the things that SSL does, starting with peer authentication.

There is no SSLSocketChannel in Java. You have to do all the hard yakka yourself with an SocketChannel and the dear old SSLEngine , which takes practically a Ph.D. to drive correctly.

See the jsse tag, passim, for numerous posts about the SSLEngine by me, which I will not repeat here.